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Abstract — A novel time synchronization attack (TSA) on wide 
area monitoring systems in smart grid has been identified in 
the first part of this paper. A cross layer detection mechanism 
is proposed to combat TSA in part II of this paper. In the 
physical layer, we propose a GPS carrier signal noise ratio 
(C/No) based spoofing detection technique. In addition, a patch- 
monopole hybrid antenna is applied to receive GPS signal. By 
computing the standard deviation of the C/No difference from 
two GPS receivers, a priori probability of spoofing detection is 
fed to the upper layer, where power system state is estimated and 
controlled. A trustworthiness based evaluation method is applied 
to identify the PMU being under TSA. Both the physical layer 
and upper layer algorithms are integrated to detect the TSA, thus 
forming a cross layer mechanism. Experiment is carried out to 
verify the effectiveness of the proposed TSA detection algorithm. 

Index Terms — Time Synchronization Attack Defense, Trust- 
worthiness evaluation. Cross Layer Detection, GPS Spoofing 
Detection, Smart Grid 



I. Introduction 

The security of smart grid has become an important research 
topic (T) ifTSl 1251 . since the electricity system is closely 
related to many critically important aspects of modem society. 
The secure wide area monitoring system (WAMS) |I2] has 
become the key component in maintaining the reliability of 
the entire power system. As a complex subsystem of the 
smart gird, WAMS has faced many challenges on its security 
due to its widely distributed monitoring devices and extensive 
communication infrastructure [8 |. 

In part I of this paper, we identified a novel potential attack 
to WAMS in smart grid, namely the time synchronization 
attack (TSA) through GPS spoofing. Furthermore, we have 
analyzed and demonstrated the impact of TSA on three differ- 
ent WAMS applications, which showed that TSA can confuse 
the control center with a wrong system operation status by 
introducing counterfeit time stamps to the true measurements. 
Since the malicious attackers do not need to physically connect 
to the monitoring device or the communication network, 
TSA cannot be prevented by simply enhancing the firmware 
of the monitoring devices. In addition, unlike a malicious 
data attack ifTOl |[T4l . TSA does not change the monitoring 
data. Therefore, common defense methods for malicious data 
attacks are not suitable to combat TSA. 
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Motivated by the extreme importance of the security of 
WAMS in smart grid, in part II of this paper, we study the 
detection of TSA to ensure the reliability of the monitoring 
system. In the physical layer of WAMS, TSA can be mitigated 
by techniques of GPS spoofing detection, which can be imple- 
mented in each individual GPS receiver II2TI . These techniques 
are based on the GPS signal parameters obtained directly from 
the GPS receiver [11], such as its position solution [,6J L18l 
[24J, the Doppler shift of the GPS satellites El El, or the 
SNR of the GPS signals El- 

An effective low-cost implementation of an anti-spoofing 
technique can simply compare the position solutions from two 
GPS receivers close to each other, since a spoofing signal 
would cause both receivers to report the same position [|24l . 
To that end, the receivers need to be sufficiently far away 
from each other such that the two position solutions are easily 
separated in the absence of a spoofer; meanwhile, they should 
also be close enough such that they are affected by the same 
spoofing signal. For closely spaced receivers, the phase of 
the GPS signals at each receiver antenna can be used to 
detect the presence of a spoofer. As the spoofer signal comes 
from a particular direction, the phase shift between the two 
antennas will be identical for all satellites, for the spoofing 
signal, which is not true for real GPS signals coming from 
different directions. This technique can be further improved 
by predicting the expected phase shifts from the satellite orbit 
models. However, this technique requires the GPS receiver to 
measure and report the GPS carrier phase measurement, which 
may not be valid in practice. Angle-of-arrival (AOA) based 
spoofing detection (AOASD) ifTTl has been considered to be 
among the most effective techniques to detect a GPS spoofing 
attack. Typically, a GPS receiver receives navigation signal 
from multiple GPS satellites which have different AOAs. In 
a sharp contrast, counterfeit navigation signals from different 
GPS satellites have the same AOA, since all the GPS signal 
is transmitted by one GPS spoofer. However, the AOA based 
techniques typically require an antenna array with dedicated 
GPS receiver electronics to estimate the AOA of the GPS 
signals, which significantly increases the size and cost of 
device. 

In this paper, we propose a cross layer detection mechanism 
to protect WAMS against TSA. In the physical layer, we pro- 
pose a Carrier to Noise Measurements (C/No) based spoofing 
detection algorithm. The difference of the C/No obtained from 
two GPS receivers is analyzed to detect the TSA. In particular, 
we propose a monopole-patch hybrid antenna to detect a 
spoofing attack. The monopole antenna is connected to one 
GPS receiver and the patch antenna is connected to the other. 
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Since the monopole and patch antenna have different radiation 
patterns in elevation, the difference of the C/No measurements 
between the two receivers will vary with the elevation angle 
of the signal. The proposed system can thus discriminate the 
elevation AOA between signals without requiring an expensive 
multi-element antenna array. This technique is also expected 
to be effective against a cooperative GPS spoofing attack, 
as all the GPS spoofing signals are likely to come from the 
same elevation angle near the horizon. Furthermore, the output 
of the C/No based spoofing detection technique provides a 
probability indicating whether the individual GPS receiver 
is experiencing spoofing. Besides the physical layer TSA 
detection, we also propose a trustworthiness framework based 
TSA detection in the upper layer, based on Kalman filtering 
and cross-check. Figure [T] provides an illustration of how 
the trustworthiness of a set of monitoring devices could be 
evaluated 1121 . 
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Fig. 1: Illustration of trustiness evaluation based on power 
network modeling 

As illustrated in Figure [T] the entire power network consists 
of five generators (Gl, G2, G3, G4, G5), eight buses and 
three loads. There are five phasor measurement units (PMUs) 
distributed in the power network serving as the monitoring 
devices ||4|. Assume that PMU-4 is suffering TSA from a 
malicious attacker and that a transmission line fault occurs 
between bus2 and bus3, which causes a disturbance in the 
power network system. The distributed PMUs capture the 
dynamic feature of the system and report to the control 
center. Based on the time stamps attached to the measure- 
ments sampled by the PMUs, the control center aligns the 
measurements from different PMUs to infer the location of 
the fault. However, the measurements from PMU-4 cannot 
be aligned with those from other PMUs due to TSA. The 
measurements from different PMUs are correlated according 
to the interconnection of the entire network. Therefore, the 
trustworthiness of each PMU can be evaluated based on the 
system model and the system states. In this paper, we further 
combine both detection schemes in the physical and upper 
layers, thus forming a cross layer detection of TSA. 

The remainder of this paper is organized as follows. Section 
iniprovides the physical layer TSA detection algorithm. Section 
Hill presents the trustworthiness evaluation mechanism based 
on the interconnection modeling of the power grid. The 



cross layer TSA detection algorithm is given in Section |IV] 
Conclusions and future work are provided in Section |Vl] 

II. TSA Detection in Physical Layer 

In this section we propose a simple spoofer detection 
algorithm based on the Carrier to Noise Measurements (C/No) 
[1] obtained from two closely spaced GPS receivers. This 
technique could be implemented in an existing system by 
simply logging the C/No measurements of the existing GPS 
receiver and adding one more low cost GPS receiver module. 

A. C/No based spoofing detection 

This method uses the (C/No) measurement from two GPS 
receivers connected to two antennas with different radiation 
patterns Gi{9^(j)) and 6^2(6', (/>) to implement a mono-pulse 
system where the power ratio between two antennas is defined 



i?, = 101ogio( 



Go 



(1) 



Ri indicates the direction of arrival of the i^^ GPS signal 
arriving from azimuth direction 6i and elevation direction 0^. 
For the spoofing signal, all GPS signals are coming from the 
same direction sls 61 = 62 = ... = Oj and hence they should 
have the same power ratio, Ri between the two antennas. 
For the actual GPS signals Ri should differ for each satellite 
as the signals come from different directions. As a result, 
the standard deviation of Ri for all satellites observed at a 
given time point will be used to determine the likelihood of a 
spoofing signal. This technique could also make use of other 
observables such as the satellite Doppler shift and the final 
position solution to improve robustness. 

The C/No based spoofing detection works as follows: At 
each time point, the value of Ri for all observable GPS 
satellites is estimated from the C/No values obtained from 
the GPS receiver according to 



R^ = {C/No),^i{dB) - {C/No),^2{dB), 



(2) 



where {C /No)(i^ m) is the carrier to noise ratio of the i^^ GPS 
signal from the m}^ antenna in dB. The standard deviation 
of Ri is then compared with a threshold to determine the 
presence of a spoofing signal. The threshold is calculated from 
the two probability density functions (PDFs) of the standard 
deviation of the Ri values when a spoofer is present and absent 
to achieve a given false alarm rate. The two PDF's of the 
standard deviation of Ri for a signal present and absent were 
obtained by conducting a field experiment. 

B. Field experiment for PDF 

An experiment was set up using two GPS receivers, one 
connected to a patch antennas and one to a monopole antenna. 
The C/No values of each receiver along with the satellite 
elevation and azimuth angle were logged. The antenna gain 
patterns are significantly different as the radiation pattern of 
the patch has a maximum at 90 degrees elevation, while the 
monopole has a minimum at this angle. The basic setup for 
the spoofing experiment is shown in Figure |2] 



THIS PAPER HAS BEEN SUBMITTED TO IEEE TRANSACTION ON SMART GRID 



3 



GPS 




Laptop 





(a) C/No based detection experiment setup 
Monopole Patch 




(b) Monopole-patch hybrid antenna 
Fig. 2: Basic setup for spoofing experiment. 



The radiation patterns of the patch and monopole were 
measured in an anechoic chamber and are shown in Figure 
[3l Note that the antenna patterns are expected to be relatively 
uniform in azimuth, thus only the elevation cut is shown. 
The monopole antenna has reasonably good gain at all low 
elevation angles where it is most likely that a spoofer will 
attack. The C/No measurements from both receivers were 




(a) Laboratory setup diagram 




(b) Photo of the laboratory and devices 
Fig. 4: Illustration of the experiment setup. 




the Laboratory from a single antenna element, thus simulating 
a real spoofing environment. The C/No values from the GPS 
receivers connected to both antennas were logged to estimate 
the PDF of the standard deviation of the Ri. The basic setup 
for the spoofing experiment is shown in Figure |4] 

The PDF of the standard deviation of the Ri values for 
each of the two time periods of the day, and the spoofing 
signal, are shown in Figure |5] A non-central Chi distribution 



Measured Patch Antenna Pattern 

Measured Monopole Antenna Pattern 



Fig. 3: Radiation patterns of the monopole and patch antenna 

logged for approximately 90 minutes at two different times 
of the day. These measurements were then used to build up a 
histogram of the C/No power ratios, Ri, which were used to 
generated an estimated probability distribution (PDF) of the 
standard deviation of Ri for the GPS signals with no spoofer 
present. 

A PDF of the standard deviation of the Ri values observed 
from a spoofing signal was also obtained by setting up the 
antenna array in the Laboratory where the GPS receiver 
was unable to track most of the real GPS signals, and then 
introducing the spoofing signal by using a GPS repeater. The 
GPS repeater was used to re-radiate the GPS signals inside 
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Fig. 5: Estimated PDF of the standard deviation of the power 
ratio Rn between antennas for real GPS signals and spoofer 
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was fitted to the GPS signal PDF's and a chi distribution 
to the spoofer PDF. The Chi distribution was chosen as the 
test statistic is the standard distribution of a set of random 
variables. It is clear from Figure |5] that the PDFs have a 
better separation during the second time period. This is due 
to a more favorable satellite geometry during this time period. 
This suggests that the detection threshold and false alarm rate 
should be adjusted based on the time of day. The satellite orbits 
are predictable and repeat daily, allowing the receiver to build 
up a PDF of the expected standard deviation of the Ri test 
statistic for the GPS signal only (no spoofer) case for each time 
period of the day and hence determine the optimal threshold, 
false alarm rate and probability of detection for that particular 
period. The receiver operation character (ROC) curves for the 
two 90 minutes periods over which the data was logged are 
shown in Figure [6] and clearly show a much better detection 
performance during the second time period indicating a more 
optimal satellite geometry. 




False Alarm Rate 

Fig. 6: ROC curve for the Ri test statistic in detecting a 
Spoofer 

In summary, the spoofing detection algorithm on the phys- 
ical layer provides priori information of whether PMU n is 
suffering from TSA, which is given by the likelihood ratio: 

^ _ p{ypHY{n))\Tn =Hi 
^^^^ " p{yPHY{n))\T^=Ho^ 

where p{y PHY {n)) = std{[Ri, R2, Ri...RN])', = Hi 
and Tn = H denote the hypotheses of whether PMU 
n is under TSA or not, respectively. The probability of 
p{ypHY{n))\Tn = Hi and p{ypHY{n))\Tn = Hq can be 
further used as the priori information for the trustworthiness 
evaluation in the upper layer, which will be discussed in the 
subsequent sections. 

III. Trustworthiness Based TSA Detection 

In this section, we discuss the TSA detection in the upper 
layer, i.e., from the viewpoint of signal processing. We first 
introduce the linear system model for the power grid. Then, 
we propose a mechanism for evaluating the trustworthiness of 
each monitoring device based on the linear system model. 



A. Linear System Model 

Generally, smart grid is a wide area interconnected nonlinear 
system. However, for the purpose of designing a WAMS in a 
smart grid, the dynamic feature of the entire power grid can 
be modeled as a linear system around the equilibrium point, 
given small perturbations [[T3l [[T6l . We will focus on linear 
system model in this paper and extend to nonlinear case in 
the future. 

Mathematically, the linearized power system can be ex- 
pressed as a state space model, which is given by 

x(t + 1) = Ax(t) + Bu(t) + w(t) (4) 
y(t) = Cx(t)+v(t) (5) 

where x is an TV x 1 vector and represents the system 
operation state of the power grid, y is an M x 1 vector 
representing the monitoring measurements and u is the control 
action taken by the control center. The matrices A, B, and 
matrix C are specified in the linearized system model and the 
monitoring mechanism, respectively. Both w(t) and v(t) are 
modeled as Gaussian noise. Note that the dynamics in power 
grid are continuous in the time domain. Here we consider a 
discrete time model for simplicity. We further suppose that 
each dimension of the measurement vector y is monitored 
by a monitoring device, e.g., PMU. It is easy to extend this 
to the general case in which the monitoring measurements 
have overlaps. Each monitoring device sends its measurements 
along with their time stamps to the control center via a secure 
communication network since they are distributed throughout 
the entire smart grid. For the TSA on the monitoring devices, 
we have following assumptions: 

• For simplicity, we assume that there is at most one at- 
tacker. The principle of the trustworthiness of the system 
can be extended to the case of multiple attackers at the 
cost of more computational cost. 

• The malicious attacker cannot modify the monitoring 
measurements; it can only trigger the monitoring device 
to sample at an incorrect time period using GPS spoofing. 
Therefore, the time stamps attached to those measure- 
ments are incorrect. 

• The control center misaligns the measurements from the 
monitoring devices under TSA, which is equivalent to 
shifting the measurements in the time domain. 

We assume that the controller adopts the linear quadratic 
regulation (LQR) control ||9l in an infinite time horizon [|23l 
with the cost function given by 

inf 

J = ElY, /3(t)(x^(t)Qx(t) + u^(t)Pu(t))], (6) 

where Q and P are both positive definite, and /3 is a weighting 
factor for each control time period. Based on the cost function 
in[6l the LQR action u{t) is given by 

u{t) = -(B^SB + P)-^B^SAx(t), (7) 

where x(t) is the estimation of the system state, and the matrix 
S satisfies the Algebraic Riccati Equation, which is given by 

S = A^(S - SB(B^SB + P)-^B^S)A + Q. (8) 
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B. Trustworthiness Evaluation 

In this subsection, we propose a mechanism for evaluating 
the trustworthiness of each monitoring device. The essential 
reason that the control center can evaluate the trustworthiness 
of each monitoring device is that the observations at different 
PMUs are coupled and thus provide redundancies (similarly 
to error correction codes in communications). Therefore, it 
can predict the future state with some uncertainty. If the 
report from a monitoring device significantly deviates from 
the prediction, then this monitoring device will be considered 
as unreliable and its reports will be ignored. Figure |7]illustrates 
the mechanism of trustworthiness evaluation, in which the 
monitoring device is a PMU that monitors the frequency of 
the power grid. 
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Fig. 7: Illustration of trustworthiness evaluation 

The system state prediction is obtained from the Kalman 
filter ||T9l . At time t + 1, we apply the system state prediction 
x(t) and the measurements y-n{t + 1) to predict the system 
state x(t + 1), in which y_n(t + 1) denotes the measurements 
excluding the one from PMU n. The Kalman predictor is given 
by 

x(t + 1) = Ax(t) + L-n{t + l)[y-n{t) - C_„Ax(t)], (9) 

where C_„ denotes the matrix C excluding the n-th row. The 
CO variance matrix L_„ is given by 

L_„(t+1) = S(t+l|t)C^„ [C_„S(t + mcl„ + all] , 

(10) 

where X) is the prediction covariance, which is given by 



J:{t + l\t) = A'E{t\t)A^ + BQB^ 



(11) 



where is the noise variance in the observations. After we 
obtain the system state prediction x(t + 1), the a posteriori 
probability of the measurement from PMU n is given by 

p{yn{t^l)\y-n{0:t)) 
- A/'(cnx(t + l),Cn5](t + l|t)cJ), (12) 

where denotes the n-th row of the observation matrix C. 
We denote by = Hi the hypothesis that PMU n is an 
unreliable monitoring device due to TSA, and = Hq as the 



hypothesis that the measurement from PMU n is trustworthy. 
Then, we define the trustworthiness level of PMU n at time 
slot t as 1 — 7Tn{t), where 7Tn{t) is the suspicious level, which 
is given by 



7rn{t)=P{Tn = Hi\y{0:t)). 



(13) 



In the next section, we will derive the trustworthiness evalua- 
tion based on the system state prediction and the information 
passed from the physical layer as prior information, which is 
coined cross layer TSA detection. Hence, we ignore the details 
of the Kalman filtering based trustworthiness evaluation since 
it is only a special case of the cross layer detection. 

IV. Cross Layer TSA Detection 

In this section, we present the cross layer TSA detection 
algorithm. Since both the spoofing detection mechanisms in 
the physical layer (based on the two antennas) and the upper 
layer (based on the Kalman filtering) are based on the prob- 
abilistic framework, we can integrate the detection schemes 
in the two layers to detect TSA. Based on the probabilistic 
framework, the spoofing detection result from physical layer 
can be regarded as the prior information for the upper layer 
to evaluate the suspicious level. The challenge for computing 
the suspicious level defined by ([T3l) is the unknown attacking 
strategy. We first assume that there must be an attacker. With 
the physical layer's detection as the prior information, we can 
derive ([13]), which is given by 

7r„(t) 4 p(T„ = J?i |y(0 : t), y^^y (t)), (14) 

where YpHri^) the output of the physical layer detection 
on time slot t from PMU n. Applying the Bayes rule upon 
( fT3] ). we have 

7r„(t) 

p(y(0:t),y^^^y(t)) 

p{Tn = Hi) 



My(0:i),yWW) 



(15) 



We assume that the outputs of the physical layer's detection 
and the upper layer's observation of PMU are independent of 
each other, thus resulting in 



7r„(t) 

p(y(0:t)|r„ 



Fi)p(T„ = Hi) 



p(y(0:t)My^ffy(t)) 

, p{y-pHYit)\Tu = Hi) 

>(y(0:t)My^^,y(i)) 

p{y{0:t)\Tn = Hi) 



E 



N 



,p{y{0:t)\T^ = Hi) 
PiypHYit)\Tn 



(16) 



Hi) 



(p(yW(*)|r„ = Fi) +p(y^^y(t)|T„ = Ho))' 

The conditional distribution of p{ypjjY{t)\Tn = Hi) and 
p{ypjjY{t)\Tn = Hq)) are given by the curves in Figure [5] 
Since we do not have the prior information about the attacker's 
TSA strategies, it is reasonable to assume that the PMU's 
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report under TSA in each time slot is independent. Therefore, 
the first part of ([T6] ) can be decomposed into 

p{y{0:t)\Tn = H,) 



El=iPiy{o--t)\T„ 
1 



^i) 



i + E. 



n'=oP(y(«)l7'"=-f^i) 



(17) 



Since there is only one TSA attacker, the unknown TSA 
strategies also make the observations at different PMUs in- 
dependent, which provides the following approximation: 

p{y{s)\Tn = H,) (18) 
^ p{yn{s)\Tn=Hi)l[p{yk{s)\Tk = Ho). 

We further assume that p{yn{s)\Tn = i^i) is a constant 
since we have no knowledge about the attacker's strategy. 
Substituting (fTSl) into ([T6l) . we obtain 



n: 



S = p{yr^{S)\Tr^=Ho) 



-rPHvit). (19) 



p{yUS)\Trr.^Ho) 



where 



tpHvit) 



(20) 



p{y'hHYit)\Tn = H,) 



iPiypHYit)\Tn = H,) +p{y"pHYit)\Tn = Ho))' 

where rjp^jy (^) is the physical layer's prior probability calcu- 
lated using the curves in Figure |5] directly. 

When it is possible that there is no attacker, the first part 
of ([T6l) can be modified as 



p{y{0 : t)\T^ = H^)p{Tr, = H,) 
p{y{0:t),Hs)^p{y{0:t),H^) 
P{y'}>HYit)\Tn = Hr) 



(21) 



p{Hs)/p{H^) + 



where Hs and denote the hypotheses that there is no 
attacker and that there is one attacker, respectively. 

V. Experiments Results 

In this section, we conduct experiments to demonstrate 
the proposed cross layer TSA detection algorithm. The TSA 
detection reports in the physical layer are obtained from 
the experiment setup in subsection III-BI The results of the 
physical layer detection will be fed to the upper layer for 
trustworthiness evaluation. 



A. Upper Layer Linear System model 

We adopt the linear model of power grid used in [fT3l . in 
which the system state matrix A is given by Eq. (13) in |[T3ll . 
Since we discuss the discrete-time model in this paper, we 
approximate the continuous-time state space model by setting 
a small time step At. Therefore, the discrete-time state space 
equation is given by 
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(a) Constant time label shift TSA 




x(t + 1) = (I - AtA)x(t) + AtBu(t). 



(22) 



50 100 150 200 250 300 350 400 
Simulation time (ms) 

(b) Random time label shift TSA 



Fig. 8: Suspicious level of different PMUs under different TSA 
attack strategies 



There are five PMUs in the system, and we only consider the 
frequency measurement. Consequently, we set the observation 
matrix as a 5 x 5 identity matrix. We further assume that PMU 
5 encounters TSA and other PMUs operate normally. 



B. Upper Layer Evolution of Suspicious level 

In Figure [H we demonstrate the evolution of the suspicious 
level when the attacker adopts different attack strategies. The 
attacker launches TSA on PMU 5 with attack frequency of 
0.3, which means the attacker at each time slot launches TSA 
with probability of 0.3. In Figure |8(a)[ the attacker modifies 
the time stamps with a constant shift value, and in Figure 
|8(b)[ the attacker modifies the time stamps with a random shift 
value. The simulations show that the suspicious level of PMU 
5 increases significantly after some fluctuation regardless of 
the strategies the attacker applies. The fluctuation in the initial 
stages are due to the randomness in the Kalman filtering, since 
it takes time for the Kalman filter to track the system state. 
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C. Cross Layer TSA Detection 

Then, we simulate the proposed cross layer TSA detection 
algorithm. Figure [9] demonstrates that the suspicious level of 
the PMU under TSA increases faster when the physical layer's 
detection reports are used as the prior information. 
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Fig. 9: The performance comparison of TSA detection with 
physical layer prior and without physical layer prior 

In Figure [TOl we plot the cumulative distribution function 
(CDF) curves of the time needed for detecting the TSA. This 
further verifies that cross layer TSA detection can identify 
TSA faster than the situation when only upper layer trustwor- 
thiness evaluation is used. It should be noted that the detection 
performance is improved regardless the attacker's strategies. 



Constant time shift TSA 




witliout pliysical layer priori 
Constant time sliift TSA 
witli pliysical layer priori 
Constant time shift TSA 
with physical layer priori 
Constant time shift TSA 
without physical layer priori 



150 200 250 

TSA Detection time (ms) 



300 



Fig. 10: CDF curves of the time of identification of TSA 

The receiver operation character (ROC) curves are given 
by Figure [TT] In contrast to typical ROC curves, we study the 
average TSA detection delay and the false alarm rate. The false 
alarm rate is defined as the event that a PMU not suffering 
from TSA is claimed to be under TSA. It is observed from 
Figure [TT] that, given the same detection delay, the proposed 
cross layer TSA detection has lower false alarm rate compared 
with the TSA detection without the collaboration between the 
physical layer and upper layer. 



Constant time shift TSA 
without physical priori 
Constant time shift TSA 
with physical priori 
Random time shift TSA 
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0.4 0.6 
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Fig. 11: ROC curves (detection delay and false alarm) for 
different attack strategies 



VI. Conclusion 

In this paper, we have proposed a cross layer detection 
mechanism to combat time synchronization attack in smart 
grid. In the physical layer, we apply patch-monopole hybrid 
antenna to receive GPS signal, which will be fed to two GPS 
receivers. The difference of the C/No from the patch and 
monopole is used to estimate the probability of being under 
TSA. The experiment has shown that the standard derivation 
of the difference of the C/No from two GPS receivers follows 
different distributions. In the upper layer, we have applied the 
Kalman filtering and cross check to evaluate the trustwor- 
thiness of the reports. Furthermore we have fused the TSA 
detection result in the physical layer, as prior information, with 
the upper layer detection. Numerical results have demonstrated 
that the cross layer detection scheme can effectively improve 
performance, with faster detection speed or lower false alarm 
rate. 
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